Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Unable to create/save security permission on a folder using the Java SDK.

former_member767124
Explorer

on ‎2021 Oct 02 11:11 PM

0 Likes
2,358

We are creating universes, (site) folders, etc., for SAP 4.3 Business Object application using the java sdk. The folder is getting created successfully in the CMC console, but for some reason the permission are not getting assigned correctly/saved for that folder. This is the code generating the folders and attempting to create the permissions on it. I believe this code works for 3.1 version of the BO jars, and we just upgraded the jars to 4.3. I am not sure if we are missing anything. I tried to follow the documentation from the SAP SDK Developer guide, but have not had any luck yet:

https://help.sap.com/viewer/0225aa3e7b4b4b17b2d4a882e6f2de96/4.3.1/en-US/45a879976e041014910aba7db0e...

For reference, this is the code where we look up the existing folder (that we create initially), and then pass it to the addAccessLevel method below which should assign the security on the folder.

// IFolder siteFolder = getBoxiConnection().lookupFolder(siteFolderName); // method to lookup the folder
// The IInfoObject item passed in the method below is this IFolder siteFolder which has been created successfully

public void addAccessLevel(IInfoObject item, int principalId, int accessLevelId) throws SDKException {

ISecurityInfo2 secInfo = item.getSecurityInfo2();
IExplicitPrincipals principals = secInfo.getExplicitPrincipals();
IExplicitPrincipal viewerPrincipal = principals.add(principalId); // principalId is the viewer group Id
IExplicitRoles iexplicitRoles = viewerPrincipal.getRoles();
viewerPrincipal.getRoles().add(accessLevelId); // accessLevelId is the viewer access level id
item.save();
}

It seems like this save is not actually saving the above security/permission on the item/folder, as the permissions in the CMC console on the folder don't seem to have changed to include this new one. Is there something extra that needs to be done to get it to save?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

ayman_salem
Active Contributor
‎2021 Oct 03 12:10 AM
0 Likes

You should remove all Roles and Rights from the ExplicitPrincipal after adding the principal and before adding the access level.

Also make sure to cast "item" as the IFolder

here is some code i used:

......

// add principal
boExplicitPrincipal = boExplicitPrincipals.add(principalID);
.....
                            
// Remove all Roles from the ExplicitPrincipal.
// Since the IExplicitRoles collection does not permit remove
// during iteration, get all role IDs, then remove each in turn.
roleIDs = new ArrayList();
for (Iterator irole = boExplicitPrincipal.getRoles().iterator(); irole.hasNext() ; ) {
  roleIDs.add(new Integer(((IExplicitRole) irole.next()).getID()));
}

for (Iterator iroleID= roleIDs.iterator() ; iroleID.hasNext() ; ) {
  boExplicitPrincipal.getRoles().remove(((Integer) iroleID.next()).intValue());
}

// Remove all Rights from the ExplicitPrincipal.
// Since the IExplicitRights collection does not permit remove
// during iteration, get all RightDescriptor objects, then remove each in turn.
rightDescriptors = new ArrayList();
for (Iterator iright = boExplicitPrincipal.getRights().iterator() ; iright.hasNext(); ) {
  rightDescriptors.add(((IExplicitRight) iright.next()).getRightDescriptor());
}

for (Iterator iright = rightDescriptors.iterator() ; iright.hasNext(); ) {
  boExplicitPrincipal.getRights().remove((RightDescriptor) iright.next());
}

.....
boExplicitPrincipal.getRoles().add(accessLevelId);

I hope it helps.

Show replies
Show replies
ayman_salem
Active Contributor
‎2021 Oct 06 12:55 PM
0 Likes

If the answer is what you're looking for, please accept it and close the question.

former_member767124
Explorer
‎2021 Oct 06 10:25 PM
0 Likes

Thank you Ayman for the response, and sorry for the late reply. I was trying out a few things to make sure I am not missing anything before responding back :).

I tried following your advice and now it kind of works except that it is not able to save one of the user security/permissions on the folder. A couple of things to note:

Initially I was adding three explicit principles (with an explicit role for each of those) to the IInfoObject item, and then saving them all at the end (using the IFolder save method) in the method from which the addAccessLevel method is called. For some reason, that does not work when you try to do save with all three at the same time.

Now I tried doing the save (using the same IFolder save method), but after every explicit principal/ role addition for the folder, and it saves them successfully now (for the most part, except for one of them).

It is not able to save one of those three principal/role on the folder...
We have three principles/groups with each of them having an access level that need to be applied to the folder. Two of them ('our_site_admin_group' with an access level of 'Adhoc Report Viewing', and 'our_site_adhoc_group' also with an access level of 'Adhoc Report Viewing') are being saved successfully, but the third one ('our_site_view_group' with an access level of 'Report Viewing' is not being saved, it does not show up in the CMC console on that folder). Even though from the debug statements in the code it shows all the right values are being passed in, and there is no difference in the code between how it assigns the explicit principal and explicit role for this one versus the other two successful ones. From the looks of it, it should be saving this one too.

Is there something more that I could look at or I am missing for this third one? I checked the group and role which are being assigned, and they both seem valid (created successfully and displaying in the CMC console, etc.)

ayman_salem
Active Contributor
‎2021 Oct 06 10:42 PM
0 Likes

Have you checked that you can add the third one ('our_site_view_group' with 'Report Viewing' access level) in CMC? The user you are using to add may not have access to the 'Report Viewer' access level or 'our_site_view_group'

Also make sure you are using the correct ID for "Report Viewer" and "our_site_view_group".

.

former_member767124
Explorer
‎2021 Oct 06 11:17 PM
0 Likes

Thanks for the reply Ayman. Yes, I am able to 'add and assign' the security on that folder for that principle 'our_site_view_group' with the access level 'Report Viewing' from the CMC console. The code is using the same credentials for all operations it is performing, which are the same CMS username and CMS password that I used to login to the CMC console.

I also verified the ID for the principle 'our_site_view_group' and the access level 'Report Viewing' from the CMC from the properties on those, which matches the values/IDs that the code is using to add on the folder for that principle/access level.

ayman_salem
Active Contributor
‎2021 Oct 07 8:16 AM
0 Likes

Since I don't have the full modified code, you should just try more tests like for example:
- Principle 'our_site_view_group' with a different access level.
- different principle 'xxxxxx' with the access level 'Report Viewing'
- applied to other folder.
- only add the principle 'our_site_view_group' and the access level 'Report Viewing'
- Try the 'Administrator' user.
.......

former_member767124
Explorer
‎2021 Oct 07 7:29 PM
0 Likes

Thank you Ayman. I will try these things out and let you know.

former_member767124
Explorer
‎2021 Oct 11 9:38 PM
0 Likes

So I was able to get it to work in an unexpected way. I tested all the above 5 combinations, but it still did not work for any of them. Then I realized through some more testing, that for some reason, it just does not add/save the first access level (explicit principle) in the list, no matter which one it is. So it is not an issue with the specific 'view' principle/access level. If I reverse the order of the three explicit principles/access levels that are being saved, whichever is the first one does not get added/saved, but the other two do get saved for the folder - even though I call 'save' individually after adding each one!
To get around this for now, I just add/save the first one twice, so now I get all three of those to show up for the folder.

I am not sure why it could be doing this, or if there is a better/alternate way to do this.

ayman_salem
Active Contributor
‎2021 Oct 12 7:47 AM
0 Likes

I think the problem is somewhere in your code.

Also try to enable/disable the inheritance of rights and roles from parent folders and users.

Add the following code just before/after adding the access level.

// Enable/Disable (true/false) inheritance of rights and roles from parent folders and Users.
boExplicitPrincipal.setInheritFolders(true);
boExplicitPrincipal.setInheritGroups(true);
former_member767124
Explorer
‎2021 Oct 15 4:53 PM
0 Likes

Thank you Ayman. I have not had a chance yet to test the above, but I will try testing it and post the results here.

Ask a Question